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A variety of internet-based applications are widely used in our animation 
activities because they provide free and useful services. These applications, 
such as instant messaging, can be run via the web, mobile, or computer- 
based devices. Therefore, the security and privacy of user data over these 
apps have been concerned in recent years because of sensitive and 
confidential information considerations. Consequently, many instant 
messaging applications, like Viber, have various security and privacy issues 
that need to be understood and resolved. Viber users reached 800 million, 
and they increased dramatically due to the efficient services that this app 
provides. Hence, a loophole in an application’s design may allow illegal 
access to the app and gain confidential and sensitive data. In this article, we 


Privacy proposed a security approach for Viber to safeguard user confidential data 
Security and sensitive information. The proposed approach involves two theoretical 
User privacy solutions: Short message service (SMS) authentication code and the physical 
Viber hardware number to prevent illegal access to user data. Several scenarios are 
Web applications adopted to assess the proposed approach and achieve security and privacy 
for the user information. 
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1. INTRODUCTION 

Currently, the use of smartphones has increased dramatically, and instant messaging (IM) apps have 
become a necessity for users. Many companies offer free instant messengers with outstanding features such 
as texting, phone calls, videos, and file sharing. Therefore, the security and privacy of data collected by these 
applications have recently become a concern due to sensitive and confidential information considerations. 

In the digital era, different internet-enabled applications that offered free and efficient services have 
been used widely by people [1]. The most popular apps are IM applications, which offer access to online 
services and can be run via the web, mobile, and computer-based devices [2], [3]. Also, these apps allow us 
to exchange information in real-time via text messaging, voice messaging, and file sharing [4]. Sutikno et al. 
[5], instant message users worldwide reached 3.8 billion at the end of 2020. However, like other conventional 
technologies, instant messaging services have also been used to commit fraud, spread malware, hack users' 
personal information, and doing acts that violate the law [6]. Zhang et al. [7] mentioned that ordinary people 
use instant messaging applications in their daily communication [8]. 

On the other hand, terrorists have employed instant messaging for machinating terroristic attacks 
since the information encryption function has applied in Instant Message, which prevents them from being 
watched. Besides, children who have less knowledge of using IM may publish personal information that 
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could harm them or their families [9]. Besides, the poor design, configuration faults, or weakness in the 
written code for these applications, make them frequently vulnerable to attacks and theft user sensitive and 
confidential information [10]. Thus, the security and privacy of user data over these apps have been 
concerned in recent years because of sensitive and confidential information considerations. Hence, there are 
various instant messaging applications, like the Viber app, which suffers from multifarious security and 
privacy problems chat applications, with over 800 million registered users on its platform. After Edward 
Snowden revealed surveillance systems' existence, the majority of users have concerns about unreliable 
communication. However, many people still liked insecure instant messages applications because there is no 
instant messenger that could satisfy all the users' preferences. 

Different studies presented many indicators that related to the consumers’ concerns of using their 
data such as data collection users' awareness, misuse of data, internet user experience, and consumers’ level 
of learning [11]. Schrder et al. [12], many companies collect, sell, and/or exchange the users' data with other 
companies or individuals for commercial or educational purposes. Also, Seghiri and Belguidoum [13] and 
Kadhim and Gaata [14] shows that several companies work on the internet to collect personal data and use it 
to make a profit. A study by Unger [15] discuss that based on the evaluation security process of nine IM 
applications that have done, the results confirm that most of these applications have major security flaws, 
which make them prone to various kinds of attacks [16], [17]. Moreover, an article has done by two 
researchers revealed that IM server owners could access the personal data of their customers when they want 
[18]. Also, an article by Öğüt et al. [19], presents hackers can retrieve user data that includes sent and 
received messages, photos, and other files from the mobile phone if they have physical access and proper 
software [20]. Many published papers noted that most of the social media applications, including IM, violate 
user privacy and unsafe to a different type of vulnerabilities. The authors listed the weaknesses, which 
include passwords revealing and store private information on the application server [21], [22]. However, the 
majority of the articles and researches that studied the security of IM applications have only evaluated their 
safety according to experiment and lab setups [23]. They neither describe the chat application structure and 
do not propose any solution and design to secure those applications [24], [25]. 

The proposed method can be described in the following section starting with analyzing and 
discussing the vulnerability and framework on how to fix it. Upon successful installation and activation of 
Viber on a Windows-based PC, user data containing encrypted credentials are generated inside the roaming 
folder that can be accessed via user's application data. This data allows the user to open Viber without having 
to re-enter credential every single time. However, this had also led to a significant security flaw that enables 
access to any Viber account if the victim's computer is not adequately protected. 

The folder that Viber creates, which stores the account data is named ViberPC. When the created 
folder is copied to another computer which also has Viber installed, the victim's account will immediately 
open once the Viber app is run. Exposing contacts and messages without any authentication process unlike 
other instant messaging apps like WhatsApp, which requires QR code to be scanned by the phone during the 
first-time run and when data files are copied to another PC. Figure 1 presents a typical scenario 
demonstrating the vulnerability in the Viber instant message application, and Figure 2 shows a flowchart 
which showing the steps to activate the vulnerability. 


Copy ViberPC folder from Victim's 
PC to another PC 


Figure 1. Typical scenario demonstrating the vulnerability 
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Viber is installed and Be Locate Roaming folder: 
activated? \Us ers\[username]\AppData\Roamig 


Copy ViberPC Folder 


Victim's Contacts and Run Viber A Paste ViberPC Folder to the 
Messages Are Now Exposed PP Same Path of Another PC 


Figure 2. Flowchart showing the steps to activate the vulnerability 


2. PROPOSING APPROACH 

Two theoretical methods are proposed in this paper that should fix the application vulnerability. 
Admittedly, due to the nature of the following solution, it has not been tested as it requires direct 
modifications to the software which can only be done by the developing company. This can also be seen as a 
limitation of this study. 


2.1. Authentication message method 

In this method, triggers an authentication request in the form of a message every time the application 
starts. When the user launches the Viber App on PC, a message is sent to the Viber App on the user's mobile 
phone containing an activation code. The user has to enter the code to launch the Application and see 
contacts and messages. The app will stay active until it closes or the PC restarts. Figure 3 discuss the 
authentication message fixing algorithm. 


Algorithm Authentication Message or QR 
Run Viber app 
Authentication =send a message to application Viber in mobile or QR 
If Authentication then 
Lunch Viber App on pc 
Else 
Access denied 
End if 
End Algorithm 


Figure 3. Authentication message fix 


2.2. Storage media serial number 

This method relays on the storage media hardware such as the internal hard disk drive (HDD). The 
HDD and most storage media have a built-in serial number assigned from the industry during the 
manufacturing process. No identical serial numbers among these hardware units exist even the same 
company and model made it. 

The authentication stage in the proposed method is triggered every time the application launches. 
First, it checks if this is the first time the application starts. If the answer is yes, the installation process 
usually commences, and it is finalized with registering the serial number of the HDD or whatever the user 
uses storage hardware. In the other hand, if the application has already been launched before then, it 
compares the serial number that was registered during the installation process with the current serial number 
of the HDD. If both values are identical, the application usually starts. Otherwise, an error message appears 
on the screen that requires to re-install the application by the user. Figure 4 presents the algorithm to storage 
media serial number fixing to prevent illegal access to the user account by the crafter. 
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Algorithm Storage Media Serial Number 
Run Viber app 
If First time run then 
Complete installation typically and register storage serial number hard disk 
Lunch Viber App on pc 
Else 
If Check (number serial hard disk) then 
Lunch Viber App on pc 
Else 
Access denied 
End if 
End if 
End Algorithm 


Figure 4. Storage media serial number fix 


3. RESULTS DISCUSSION AND ANALYSIS 

Two scenarios have been designed to evaluate the proposed security methods. The first one 
(vulnerability case) represents the current status of the Viber application; when the ViberPC folder copied to 
another computer, which has Viber installed, the victim’s account will immediately open once Viber app is 
running. As a result, the victim’s account will be monitored, and all the sent and received messages, photos, 
and data will appear in the other pc Figure 5. 

The second scenario describes the protected status when the two proposed protection methods are 
applied. In the first method, the victim will be notified with SMS that has an activation code to ensure 
unauthorized people have no permission to launch the Viber application account. The other approach will 
check the stored HDD serial number, which registered on the Viber servers at the installation process before 
if both numbers matched Viber regularly launched; otherwise, access will be rejected Figure 6. 

Two theoretical solutions proposed in this paper that require authentication to be made every time 
the application start. The first method involves SMS to be sent containing authentication code to the phone 
number that previously used to register the account. When the code is entered, Viber will start usually. 
Despite the high level of security involved in this approach, admittedly, it can be less practical as the 
authentication process is required every time the application is launched, which can also be cumbersome. 

The other, more practical, method utilize hardware real number, which is unique and given by the 
manufacturer to every storage hardware. The storage media serial number cannot be masked or altered as it is 
burned within the hardware circuitry. Furthermore, this approach can be more practical as the authentication 
is done automatically within the software side without requiring human interaction. Once the authentication 
process is complete, Viber will be launched, and user data will be loaded. One major challenge in this paper 
is the lack of practical approval of the proposed solutions. Due to the closed source nature of the application, 
it is impossible to modify the source code of Viber to implement and examine the solutions illustrated in this 
research. 


Viber PC application 


L Copy Viber PC folder to another computer 


Launch the Viber app. 


Viber app is running with the victim's account, and 
all data are accessible. 


Figure 5. Not protected scenario 
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Viber PC application 
Copy ViberPC folderto 
another computer 


Launch the Viber app. 


SMS activation code 


Check HDD 
serial number 


Launch Viba 
successfully 


Access Launch Vib 
d ed aun Ibe 
“7 successfully 


Figure 6. Protecting approach 


4. CONCLUSION 

The rapid increase in popularity of the instant messaging application, Viber, in recent years, has led 
to security challenges that need to be addressed to protect the privacy of millions who use this application. 
This paper focuses on a significant vulnerability that hackers can take advantage of to gain access to all 
personal data of the victim quickly. Upon critical analysis, the data folder that Viber creates after successful 
installation ones copied to another PC, the victim's personal data will be exposed and can be viewed by the 
hacker. This is due to the lack of proper authentication when the application starts. This paper proposes two 
theoretical solutions that require authentication to be made every time the application starts. In the first 
method, the user will get an SMS message containing an authentication code to the phone number previously 
used to register the account. While in the second method, the authentication is done automatically within the 
software side without requiring human interaction by utilizing the hardware's actual number. In conclusion, 
protecting user's privacy and security should always be given high priority in any software, especially those 
that personal store data, pictures, or videos. As long as the user data is stored locally, unprotected and 
unencrypted on the computer, gaining access to these data might will not be difficult even for an intermediate 
hacker. It is vital to prevent access to personal data employing authentication processes to confirm the 
identity of the user before making the data accessible. 
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